Vulnerability scanning lets you find weaknesses in your own systems before attackers do. This page covers how vulnerabilities are tracked and scored, the key scanning tools, and practical command examples you can run in a lab environment.
Only scan systems you own or have explicit written permission to test. Unauthorized scanning is illegal in most jurisdictions, regardless of intent.

How vulnerabilities are tracked

CVE — Common Vulnerabilities and Exposures

A CVE is a standardized identifier used to name and track publicly disclosed security vulnerabilities. Each record takes the form CVE-YYYY-NNNNN (year + sequence number). Example: The Stuxnet worm (2010) exploited multiple CVEs simultaneously, including CVE-2010-2568 (a Windows LNK file parsing flaw) as its primary vector. CVE records are maintained by MITRE and are the universal language for discussing specific vulnerabilities across vendors, tools, and databases. Related concepts: NVD, CVSS, security bulletins, vulnerability management, patch management.

NVD — National Vulnerability Database

The NVD (National Vulnerability Database) is a public U.S. government-run database that catalogs known security vulnerabilities, indexed by CVE IDs. It enriches raw CVE data with:
  • CVSS severity scores
  • Affected product/version mappings (CPE)
  • Remediation guidance links
  • References to vendor advisories
You can search NVD at nvd.nist.gov.

CVSS — Common Vulnerability Scoring System

CVSS provides a numerical score (0–10) representing the severity of a vulnerability. Scanners like Nessus and OpenVAS report CVSS scores alongside their findings.
Score RangeSeverity
0.0None
0.1 – 3.9Low
4.0 – 6.9Medium
7.0 – 8.9High
9.0 – 10.0Critical
CVSS scores consider factors such as attack vector (network vs. local), attack complexity, privileges required, and the potential impact on confidentiality, integrity, and availability.
CVSS scores reflect theoretical severity, not real-world exploitability. A CVSS 9.8 vulnerability with no public exploit and a compensating control may be lower priority than a CVSS 7.0 vulnerability actively being exploited in the wild.

Scanning Tools

nmap — Network Mapper

nmap is the standard tool for network discovery and port scanning. It tells you which hosts are up, which ports are open, and what services and versions are running. 
# Basic host discovery — find live hosts in a subnet
nmap -sn 192.168.1.0/24

# Scan the top 1000 most common ports on a single host
nmap 192.168.1.10

# Full port scan (all 65535 ports)
nmap -p- 192.168.1.10

# Service and version detection
nmap -sV 192.168.1.10

# OS detection (requires root/sudo)
sudo nmap -O 192.168.1.10

# Aggressive scan: OS + version + scripts + traceroute
sudo nmap -A 192.168.1.10

# Run default vulnerability detection scripts (NSE)
nmap --script vuln 192.168.1.10

# Save output to a file (all formats)
nmap -oA scan_results 192.168.1.10

# Scan multiple targets from a file
nmap -iL targets.txt
The Nmap Scripting Engine (NSE) extends nmap with hundreds of scripts for specific checks: 
# Check for the EternalBlue SMB vulnerability (MS17-010)
nmap --script smb-vuln-ms17-010 -p445 192.168.1.10

# Check for anonymous FTP access
nmap --script ftp-anon -p21 192.168.1.10

# Enumerate HTTP directories
nmap --script http-enum -p80,443 192.168.1.10

nikto — Web Server Scanner

nikto scans web servers for dangerous files, outdated software versions, and misconfigurations. 
# Basic scan of a web server
nikto -h http://192.168.1.10

# Scan a specific port
nikto -h http://192.168.1.10 -p 8080

# Save output to a file
nikto -h http://192.168.1.10 -o results.txt -Format txt

# Use SSL
nikto -h https://192.168.1.10 -ssl
Nikto checks for issues including:
  • Default credentials on common applications
  • Sensitive files accidentally exposed (.env, backup files, .git)
  • Missing security headers (X-Frame-Options, Content-Security-Policy)
  • Outdated server software with known CVEs

OWASP ZAP — Zed Attack Proxy

OWASP ZAP is an open-source web application security scanner that works as an intercepting proxy. It can:
  • Crawl web applications and map all endpoints
  • Passively flag issues while you browse manually
  • Run automated active scans against discovered content
  • Intercept and modify HTTP requests for manual testing
ZAP is particularly effective for finding OWASP Top 10 vulnerabilities including XSS, SQL injection, and IDOR.

OpenVAS / Greenbone

OpenVAS (now part of the Greenbone Vulnerability Management suite) is a comprehensive, free vulnerability scanner. It maintains a continuously updated feed of Network Vulnerability Tests (NVTs) and produces detailed reports with CVSS scores and remediation steps. 
# Start the OpenVAS services (after installation)
sudo gvm-start

# Access the web interface at https://localhost:9392

Nessus

Nessus (by Tenable) is a commercial vulnerability scanner widely used in enterprise environments. The free Nessus Essentials tier allows scanning up to 16 IP addresses and is suitable for learning and home lab use. Key capabilities:
  • Credentialed scans (logs into hosts to find local vulnerabilities)
  • Compliance checks against CIS benchmarks
  • Plugin library of 100,000+ checks updated daily
  • CVSS-scored findings with remediation guidance

Vulnerability scanning workflow

1

Define scope

List the IP ranges, hostnames, and application URLs you are authorized to scan. Document this before you start.
2

Network discovery

Run nmap -sn to identify live hosts, then narrow your scope to active targets.
3

Port and service enumeration

Run a full service-version scan (nmap -sV -p-) to understand what is exposed on each host.
4

Vulnerability detection

Run NSE scripts (nmap --script vuln), nikto (for web servers), or a full OpenVAS/Nessus scan to identify known vulnerabilities.
5

Prioritize findings

Use CVSS scores as a starting point, then factor in exploitability (is there a public exploit?) and the value of the affected asset.
6

Remediate and re-scan

Apply patches, update configurations, or add compensating controls. Re-scan to confirm the finding is resolved.